If a proactive task is not worth doing, then in rare cases a modification might be justified for much the same

reasons as those which apply to failures with operational consequences.

5.6 Hidden Failure Consequences

Hidden Failures and Protective Devices
Chapter 2 mentioned that the growth in the number of ways in which equipment can fail has led to corresponding growth in the variety arid severity of failure consequences which fall into the evident categories. It also mentioned that protective devices are being used increasingly in an attempt to eliminate (or at least reduce) these consequences, and explained how these devices work in one of five ways: to alert operators to abnormal conditions to shut down the equipment in the evcnt of a failure to eliminate or relieve abnormal conditions which follow ;I failure and which might otherwise cause much more serious damage * to take over from a function which has failed * to prevent dangerous situations from arising. In essence, the function of these devices is to ensure that the consequences of the failure of the protected function are n ~ i ~ less serious than ch they would be if there were no protection. So any protective device is in fact part of a system with at least two components: the protective device the protected function.
For example, Pump C in Figure 5.7 can be regarded as a protective device, because it 'protects'the pumping function if Pump B should fail. Pump B is of course the protected function.

Further Points Concerning Non-operational Consequences

Two more points need to be considered when reviewing failures with non-operational consequences, as follows: s e c o n d a damage: Some failure rnodes cause considerable secondary ry damage if they are not anticipated or prevented, which adds to the cost of repairing them. A suitable proactive task could make it possible to prevent or anticipate the failure and avoid this damage. However, such a task is only justified if the cost of doing it is less than the cost of repairing the failure and the secondary damage.
For example, in Figure 5.7 the description of the failure effects suggests that the seizure of the bearing causes no secondary damage. If this is so, then the analysis is valid.However, if the unanticipated failure of the bearing alsocauses (say) the shaft to shear, then a proactive task which detects imminent bearing failure would enable the operators to shut down the pump before the shaft is damaged. In this case the cost of the unanticipated faiture of the bearing is: the cost of replacing the bearing and the shaft. On the other hand, the cost of the proactive task (per bearing failure) is still: f 1 200 plus the cost of replacing the bearing. Clearly, the task is worth doing if it costs more than f 1 200 to replace the shaft. If it costs less than f 1 200, then this task is still not worth doing.

protected functions: is only valid to say that a failure will have nonit operational consequences because a stand-by or redundant component is available if it is reasonable to assume that the protective device will be functional when the failure occLIrs. This of course means that a suitable maintenance program must be applied to the protective device (the stand-by pump in the example given above). This issue is discussed at length in the next part of this chapter. If the consequences of the multiplc failure of a protected system are particul;trly serious, it rnay be worth trying to prevent the failure of the protected function as well as the protective device in order to reduce the probability of the multiple failure to a tolerable level. (As explained on Page 97, if the rni~ltiple failure has safety consequences, it may be wise to assess consequences as if the protection was not present at all, and then to revalidate the protection as part of the task selection process.)

The existence of such a system creates two sets of failure possibilities, depending on whether the protective device is fail-safe or not. We consider the implications of each set in the following paragraphs, starting with devices which are fail-safe. Fuil-saje protective devices In this context, fail-safe means that the failure of the device o n its o w n will nor~nal circtrnixtances become evident to the operating crew ~lnder

Zrz the context of this hook, a 'fail-safe' device is one whose failure on its own will become evident to the operating crew under norrnal circurnstances